1. Field of the Invention
The present invention relates to a device control apparatus having plural types of software installed thereon.
2. Description of the Related Art
Hitherto, in database systems and server machines designed for executing mission critical process, emphasis has been put on reliability or security from the viewpoint of importance of the processing and confidentiality of the data held inside. Recently, however, the reliability and security has increased their importance not only in such general computers but also in various devices such as embedded systems.
On the other hand, along with the recent downsizing trend of system LSI, there is an increasing tendency of realizing plural functions, which have been hitherto realized by individual and dedicated hardware, by the software by embedding a processor on the system LSI. By executing plural types of software on the processor in the system LSI, more functions can be realized by one system LSI.
In this case, it is necessary to prevent leakage of a group of software (for example, confidential programs such as encrypting programs executed on a processor, and valuable programs such as media processing) which realizes functions hitherto realized by the hardware, like data such as personal information.
When plural programs operate on one processor, if one program has a defect, execution of all other programs is disturbed and the operation of the entire apparatus may be stopped. Or if a program installed, for example, by downloading from outside is an evil or unjust program, secret information or program may be leaked outside, or may be destroyed or altered.
To solve such problems, it is necessary to control the access to resources such as memories or devices assigned to the program for realizing each function. For example, a program or a functional unit may be prohibited from accessing to the resources assigned to other program, or access from plural functions or programs to shared resource can be exclusively controlled. Access control mechanism and access control information themselves must be protected from arbitrary manipulation.
Virtual machine technique is proposed as a means for enhancing the reliability and security by realizing the protections and executing plural functions separately. The virtual machine technique can be implemented in various manners. According to one manner of implementation, a virtualization layer is provided between hardware and operating system (OS), and plural operating systems (guest OSs) operate on the virtualization layer. The virtualization layer is generally called hypervisor layer. The hypervisor layer manages the resources and provides a virtual machine which is composed of resources assigned to an individual guest OS. As a result, the plurality of guest OSs can be executed in isolated state without interfering with each other. When the function of the hypervisor layer is realized by software, such software is called hypervisor.
Processors used in general computers have hardware configuration themselves for supporting virtualization. One example thereof is a technology proposed by Intel® Corporation in “Intel® Virtualization Technology Specification for the IA-32 Intel® Architecture”, [online], [searched on May 31, 2005], Internet <URL: ftp://download.intel.com/technology/computing/vptech/C97063-002.pdf>]. A processor which implements the technology is provided with many privilege modes indicating authority of the executed program, and the program can transit to a higher privilege mode during an execution of any instruction. As a result, the hardware can monitor access of the guest OS to shared resource, while the software granted with a higher privilege mode at a time of the access can check an access content of the guest OS.
Another example is a technology proposed by Advanced Micro Devices, Inc. A processor which implements this technology includes a mechanism for intercepting an interrupt, and a function for generating a virtual interrupt by software. Hence, after the hypervisor intercepts an interrupt, the processor can manage delivery of the interrupt to a guest OS which needs the interrupt. In addition, the processor is provided with a mechanism for monitoring the access of a guest OS to an address translation table. Thus, the guest OS is prevented from rewriting the address translation table freely in an attempt to access a memory region assigned to other guest OS.
However, unlike advanced processors used in server computers or general computers, existing processors embedded in system LSI or SoC (System on Chip) have limited functions and are not provided with functions for supporting virtualization: Usually, these processors support only two privilege modes, i.e., privilege mode and non-privilege mode. When plural guest OSs are executed on such a processor, each guest OS operates in the privilege mode of highest level.
When a guest OS operates on such a processor in the privilege mode of the highest level, the guest OS can freely use an access control mechanism of the processor. The processor cannot protect an interrupt vector table, in which instructions are stored to be executed in response to an interrupt request, from rewriting by the guest OS. The guest OS can make an attack by causing troubles by ignoring an interrupt of a device used by other guest OS, or returning a false reply to the interrupt of the device.
It means that the processor cannot protect itself using software alone when malicious software tries to disturb the delivery of an interrupt of a device. This is because, since the guest OS operates on the processor in the privilege mode of highest level, and the interrupt of a device does not occur synchronously with the operation of the processor, if the malicious software is operating at the moment the interrupt is notified to the processor, the processor cannot change over the control to other guest OS or the like.